Return extended status in the response of server.
This policy will control the visibility for a set of attributes:
- OS-EXT-STS:task_state
- OS-EXT-STS:vm_state
- OS-EXT-STS:power_state

os_compute_api:os-extended-volumes

Default:

rule:admin_or_owner

Operations:

GET/servers/{id}

GET/servers/detail

Return 'os-extended-volumes:volumes_attached' in the response of server

os_compute_api:extensions

Default:

rule:admin_or_owner

Operations:

GET/extensions

GET/extensions/{alias}

List available extensions and show information for an extension by alias

os_compute_api:os-fixed-ips

Default:

rule:admin_api

Operations:

GET/os-fixed-ips/{fixed_ip}

POST/os-fixed-ips/{fixed_ip}/action(reserve)

POST/os-fixed-ips/{fixed_ip}/action(unreserve)

Show details for, reserve and unreserve a fixed IP address.
These APIs are only available with nova-network which is deprecated.

os_compute_api:os-flavor-access:add_tenant_access

Default:

rule:admin_api

Operations:

POST/flavors/{flavor_id}/action(addTenantAccess)

Add flavor access to a tenant

os_compute_api:os-flavor-access:remove_tenant_access

Default:

rule:admin_api

Operations:

POST/flavors/{flavor_id}/action(removeTenantAccess)

Remove flavor access from a tenant

os_compute_api:os-flavor-access

Default:

rule:admin_or_owner

Operations:

GET/flavors/{flavor_id}/os-flavor-access

GET/flavors/detail

GET/flavors/{flavor_id}

POST/flavors

List flavor access information
Adds the os-flavor-access:is_public key into several flavor APIs.
It also allows access to the full list of tenants that have access
to a flavor via an os-flavor-access API.

os_compute_api:os-flavor-extra-specs:show

Default:

rule:admin_or_owner

Operations:

GET/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Show an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:create

Default:

rule:admin_api

Operations:

POST/flavors/{flavor_id}/os-extra_specs/

Create extra specs for a flavor

os_compute_api:os-flavor-extra-specs:update

Default:

rule:admin_api

Operations:

PUT/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Update an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:delete

Default:

rule:admin_api

Operations:

DELETE/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Delete an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:index

Default:

rule:admin_or_owner

Operations:

GET/flavors/{flavor_id}/os-extra_specs/

List extra specs for a flavor

os_compute_api:os-flavor-manage

Default:

rule:admin_api

Operations:

POST/flavors

DELETE/flavors/{flavor_id}

Create and delete Flavors. Deprecated in Pike and will be removed in future release

os_compute_api:os-flavor-manage:create

Default:

rule:os_compute_api:os-flavor-manage

Operations:

POST/flavors

Create a flavor

os_compute_api:os-flavor-manage:delete

Default:

rule:os_compute_api:os-flavor-manage

Operations:

DELETE/flavors/{flavor_id}

Delete a flavor

os_compute_api:os-flavor-rxtx

Default:

rule:admin_or_owner

Operations:

GET/flavors/detail

GET/flavors/{flavor_id}

POST/flavors

Add the rxtx_factor key into some Flavor APIs

os_compute_api:flavors

Default:

rule:admin_or_owner

Deprecated in Pike and will be removed in next release

os_compute_api:os-floating-ip-dns

Default:

rule:admin_or_owner

Operations:

GET/os-floating-ip-dns

GET/os-floating-ip-dns/{domain}/entries/{ip}

GET/os-floating-ip-dns/{domain}/entries/{name}

PUT/os-floating-ip-dns/{domain}/entries/{name}

DELETE/os-floating-ip-dns/{domain}/entries/{name}

List registered DNS domains, and CRUD actions on domain names.
Note this only works with nova-network and this API is deprecated.

os_compute_api:os-floating-ip-dns:domain:update

Default:

rule:admin_api

Operations:

PUT/os-floating-ip-dns/{domain}

Create or update a DNS domain.

os_compute_api:os-floating-ip-dns:domain:delete

Default:

rule:admin_api

Operations:

DELETE/os-floating-ip-dns/{domain}

Delete a DNS domain.

os_compute_api:os-floating-ip-pools

Default:

rule:admin_or_owner

Operations:

GET/os-floating-ip-pools

List floating IP pools. This API is deprecated.

os_compute_api:os-floating-ips

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(addFloatingIp)

POST/servers/{server_id}/action(removeFloatingIp)

GET/os-floating-ips

POST/os-floating-ips

GET/os-floating-ips/{floating_ip_id}

DELETE/os-floating-ips/{floating_ip_id}

Manage a project's floating IPs. These APIs are all deprecated.

os_compute_api:os-floating-ips-bulk

Default:

rule:admin_api

Operations:

GET/os-floating-ips-bulk

POST/os-floating-ips-bulk

PUT/os-floating-ips-bulk/delete

GET/os-floating-ips-bulk/{host_name}

Bulk-create, delete, and list floating IPs. API is deprecated.

os_compute_api:os-fping:all_tenants

Default:

rule:admin_api

Operations:

GET/os-fping?all_tenants=true

Pings instances for all projects and reports which instances
are alive.
os-fping API is deprecated as this works only with nova-network
which itself is deprecated.

os_compute_api:os-fping

Default:

rule:admin_or_owner

Operations:

GET/os-fping

GET/os-fping/{instance_id}

Pings instances, particular instance and reports which instances
are alive.
os-fping API is deprecated as this works only with nova-network
which itself is deprecated.

os_compute_api:os-hide-server-addresses

Default:

is_admin:False

Operations:

GET/servers/{id}

GET/servers/detail

Hide server's 'addresses' key in the server response.
This set the 'addresses' key in the server response to an empty
dictionary when the server is in a specific set of states as
defined in CONF.api.hide_server_address_states.
By default 'addresses' is hidden only when the server is in
'BUILDING' state.

os_compute_api:os-hosts

Default:

rule:admin_api

Operations:

GET/os-hosts

GET/os-hosts/{host_name}

PUT/os-hosts/{host_name}

GET/os-hosts/{host_name}/reboot

GET/os-hosts/{host_name}/shutdown

GET/os-hosts/{host_name}/startup

List, show and manage physical hosts.
These APIs are all deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hypervisors

Default:

rule:admin_api

Operations:

GET/os-hypervisors

GET/os-hypervisors/details

GET/os-hypervisors/statistics

GET/os-hypervisors/{hypervisor_id}

GET/os-hypervisors/{hypervisor_id}/uptime

GET/os-hypervisors/{hypervisor_hostname_pattern}/search

GET/os-hypervisors/{hypervisor_hostname_pattern}/servers

Policy rule for hypervisor related APIs.
This rule will be checked for the following APIs:
List all hypervisors, list all hypervisors with details, show
summary statistics for all hypervisors over all compute nodes,
show details for a hypervisor, show the uptime of a hypervisor,
search hypervisor by hypervisor_hostname pattern and list all
servers on hypervisors that can match the provided
hypervisor_hostname pattern.

os_compute_api:image-size

Default:

rule:admin_or_owner

Operations:

GET/images/{id}

GET/images/detail

Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.

os_compute_api:os-instance-actions:events

Default:

rule:admin_api

Operations:

GET/servers/{server_id}/os-instance-actions/{request_id}

Add events details in action details for a server.
This check is performed only after the check
os_compute_api:os-instance-actions passes. Beginning with
Microversion 2.51, events details are always included; traceback
information is provided per event if policy enforcement passes.

os_compute_api:os-instance-actions

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}/os-instance-actions

GET/servers/{server_id}/os-instance-actions/{request_id}

List actions and show action details for a server.

os_compute_api:os-instance-usage-audit-log

Default:

rule:admin_api

Operations:

GET/os-instance_usage_audit_log

GET/os-instance_usage_audit_log/{before_timestamp}

List all usage audits and that occurred before a specified time for all servers on all compute hosts where usage auditing is configured

os_compute_api:ips:show

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}/ips/{network_label}

Show IP addresses details for a network label of a server

os_compute_api:ips:index

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}/ips

List IP addresses that are assigned to a server

os_compute_api:os-keypairs:index

Default:

rule:admin_apioruser_id:%(user_id)s

Operations:

GET/os-keypairs

List all keypairs

os_compute_api:os-keypairs:create

Default:

rule:admin_apioruser_id:%(user_id)s

Operations:

POST/os-keypairs

Create a keypair

os_compute_api:os-keypairs:delete

Default:

rule:admin_apioruser_id:%(user_id)s

Operations:

DELETE/os-keypairs/{keypair_name}

Delete a keypair

os_compute_api:os-keypairs:show

Default:

rule:admin_apioruser_id:%(user_id)s

Operations:

GET/os-keypairs/{keypair_name}

Show details of a keypair

os_compute_api:os-keypairs

Default:

rule:admin_or_owner

Operations:

GET/servers/{id}

GET/servers/detail

Return 'key_name' in the response of server.

os_compute_api:limits

Default:

rule:admin_or_owner

Operations:

GET/limits

Show rate and absolute limits for the project

os_compute_api:os-lock-server:lock

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(lock)

Lock a server

os_compute_api:os-lock-server:unlock

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(unlock)

Unlock a server

os_compute_api:os-lock-server:unlock:unlock_override

Default:

rule:admin_api

Operations:

POST/servers/{server_id}/action(unlock)

Unlock a server, regardless who locked the server.
This check is performed only after the check
os_compute_api:os-lock-server:unlock passes

os_compute_api:os-migrate-server:migrate

Default:

rule:admin_api

Operations:

POST/servers/{server_id}/action(migrate)

Cold migrate a server to a host

os_compute_api:os-migrate-server:migrate_live

Default:

rule:admin_api

Operations:

POST/servers/{server_id}/action(os-migrateLive)

Live migrate a server to a new host without a reboot

os_compute_api:os-migrations:index

Default:

rule:admin_api

Operations:

GET/os-migrations

List migrations

os_compute_api:os-multinic

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(addFixedIp)

POST/servers/{server_id}/action(removeFixedIp)

Add or remove a fixed IP address from a server.
These APIs are proxy calls to the Network service. These are all
deprecated.

os_compute_api:os-networks

Default:

rule:admin_api

Operations:

POST/os-networks

POST/os-networks/add

DELETE/os-networks/{network_id}

POST/os-networks/{network_id}/action(disassociate)

Create and delete a network, add and disassociate a network
from a project.
These APIs are only available with nova-network which is deprecated.

os_compute_api:os-networks:view

Default:

rule:admin_or_owner

Operations:

GET/os-networks

GET/os-networks/{network_id}

List networks for the project and show details for a network.
These APIs are proxy calls to the Network service. These are all
deprecated.

os_compute_api:os-networks-associate

Default:

rule:admin_api

Operations:

POST/os-networks/{network_id}/action(disassociate_host)

POST/os-networks/{network_id}/action(disassociate_project)

POST/os-networks/{network_id}/action(associate_host)

Associate or disassociate a network from a host or project.
These APIs are only available with nova-network which is deprecated.

List, show information for, create, or delete default security
group rules.
These APIs are only available with nova-network which is now deprecated.

os_compute_api:os-security-groups

Default:

rule:admin_or_owner

Operations:

GET/os-security-groups

GET/os-security-groups/{security_group_id}

POST/os-security-groups

PUT/os-security-groups/{security_group_id}

DELETE/os-security-groups/{security_group_id}

GET/servers/{server_id}/os-security-groups

POST/servers/{server_id}/action(addSecurityGroup)

POST/servers/{server_id}/action(removeSecurityGroup)

POST/servers

GET/servers/{server_id}

GET/servers/detail

List, show, add, or remove security groups.
APIs which are directly related to security groups resource are deprecated:
Lists, shows information for, creates, updates and deletes
security groups. Creates and deletes security group rules. All these
APIs are deprecated.
APIs which are related to server resource are not deprecated:
Lists Security Groups for a server. Add Security Group to a server
and remove security group from a server. Expand security_groups in
server representation

os_compute_api:os-server-diagnostics

Default:

rule:admin_api

Operations:

GET/servers/{server_id}/diagnostics

Show the usage data for a server

os_compute_api:os-server-external-events:create

Default:

rule:admin_api

Operations:

POST/os-server-external-events

Create one or more external events

os_compute_api:os-server-groups

Default:

rule:admin_or_owner

Deprecated in Pike and will be removed in next release

os_compute_api:os-server-groups:create

Default:

rule:os_compute_api:os-server-groups

Operations:

POST/os-server-groups

Create a new server group

os_compute_api:os-server-groups:delete

Default:

rule:os_compute_api:os-server-groups

Operations:

DELETE/os-server-groups/{server_group_id}

Delete a server group

os_compute_api:os-server-groups:index

Default:

rule:os_compute_api:os-server-groups

Operations:

GET/os-server-groups

List all server groups

os_compute_api:os-server-groups:show

Default:

rule:os_compute_api:os-server-groups

Operations:

GET/os-server-groups/{server_group_id}

Show details of a server group

os_compute_api:server-metadata:index

Default:

rule:admin_or_owner

Operations:

GET/servers/server_id/metadata

List all metadata of a server

os_compute_api:server-metadata:show

Default:

rule:admin_or_owner

Operations:

GET/servers/server_id/metadata/{key}

Show metadata for a server

os_compute_api:server-metadata:create

Default:

rule:admin_or_owner

Operations:

POST/servers/server_id/metadata

Create metadata for a server

os_compute_api:server-metadata:update_all

Default:

rule:admin_or_owner

Operations:

PUT/servers/server_id/metadata

Replace metadata for a server

os_compute_api:server-metadata:update

Default:

rule:admin_or_owner

Operations:

PUT/servers/server_id/metadata/{key}

Update metadata from a server

os_compute_api:server-metadata:delete

Default:

rule:admin_or_owner

Operations:

DELETE/servers/server_id/metadata/{key}

Delete metadata from a server

os_compute_api:os-server-password

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}/os-server-password

DELETE/servers/{server_id}/os-server-password

Show and clear the encrypted administrative password of a server

os_compute_api:os-server-tags:delete_all

Default:

rule:admin_or_owner

Operations:

DELETE/servers/{server_id}/tags

Delete all the server tags

os_compute_api:os-server-tags:index

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}/tags

List all tags for given server

os_compute_api:os-server-tags:update_all

Default:

rule:admin_or_owner

Operations:

PUT/servers/{server_id}/tags

Replace all tags on specified server with the new set of tags.

os_compute_api:os-server-tags:delete

Default:

rule:admin_or_owner

Operations:

DELETE/servers/{server_id}/tags/{tag}

Delete a single tag from the specified server

os_compute_api:os-server-tags:update

Default:

rule:admin_or_owner

Operations:

PUT/servers/{server_id}/tags/{tag}

Add a single tag to the server if server has no specified tag

os_compute_api:os-server-tags:show

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}/tags/{tag}

Check tag existence on the server.

os_compute_api:os-server-usage

Default:

rule:admin_or_owner

Operations:

GET/servers/{id}

GET/servers/detail

Add 'OS-SRV-USG:launched_at' & 'OS-SRV-USG:terminated_at' attribute
in the server response.
This check is performed only after the check
'os_compute_api:servers:show' for GET /servers/{id} and
'os_compute_api:servers:detail' for GET /servers/detail passes

os_compute_api:servers:index

Default:

rule:admin_or_owner

Operations:

GET/servers

List all servers

os_compute_api:servers:detail

Default:

rule:admin_or_owner

Operations:

GET/servers/detail

List all servers with detailed information

os_compute_api:servers:index:get_all_tenants

Default:

rule:admin_api

Operations:

GET/servers

List all servers for all projects

os_compute_api:servers:detail:get_all_tenants

Default:

rule:admin_api

Operations:

GET/servers/detail

List all servers with detailed information for all projects

os_compute_api:servers:show

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}

Show a server

os_compute_api:servers:show:host_status

Default:

rule:admin_api

Operations:

GET/servers/{server_id}

GET/servers/detail

Show a server with additional host status information

os_compute_api:servers:create

Default:

rule:admin_or_owner

Operations:

POST/servers

Create a server

os_compute_api:servers:create:forced_host

Default:

rule:admin_api

Operations:

POST/servers

Create a server on the specified host

os_compute_api:servers:create:attach_volume

Default:

rule:admin_or_owner

Operations:

POST/servers

Create a server with the requested volume attached to it

os_compute_api:servers:create:attach_network

Default:

rule:admin_or_owner

Operations:

POST/servers

Create a server with the requested network attached to it

os_compute_api:servers:create:zero_disk_flavor

Default:

rule:admin_or_owner

Operations:

POST/servers

This rule controls the compute API validation behavior of creating a server
with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the
image used to deploy the instance. However, in this case the filter_scheduler
cannot select the compute host based on the virtual image size. Therefore, 0
should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule
if users can upload their own images since repeated attempts to
create a disk=0 flavor instance with a large image can exhaust
the local disk of the compute (or shared storage cluster). See bug
https://bugs.launchpad.net/nova/+bug/1739646 for details.
This rule defaults to rule:admin_or_owner for backward compatibility but
will be changed to default to rule:admin_api in a subsequent release.

List all running Compute services in a region, enables or disable scheduling for a Compute service, logs disabled Compute service information, set or unset forced_down flag for the compute service and delete a Compute service

os_compute_api:os-shelve:shelve

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(shelve)

Shelve server

os_compute_api:os-shelve:unshelve

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(unshelve)

Unshelve (restore) shelved server

os_compute_api:os-shelve:shelve_offload

Default:

rule:admin_api

Operations:

POST/servers/{server_id}/action(shelveOffload)

Shelf-offload (remove) server

os_compute_api:os-simple-tenant-usage:show

Default:

rule:admin_or_owner

Operations:

GET/os-simple-tenant-usage/{tenant_id}

Show usage statistics for a specific tenant

os_compute_api:os-simple-tenant-usage:list

Default:

rule:admin_api

Operations:

GET/os-simple-tenant-usage

List per tenant usage statistics for all tenants

os_compute_api:os-suspend-server:resume

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(resume)

Resume suspended server

os_compute_api:os-suspend-server:suspend

Default:

rule:admin_or_owner

Operations:

POST/servers/{server_id}/action(suspend)

Suspend server

os_compute_api:os-tenant-networks

Default:

rule:admin_or_owner

Operations:

GET/os-tenant-networks

POST/os-tenant-networks

GET/os-tenant-networks/{network_id}

DELETE/os-tenant-networks/{network_id}

Create, list, show information for, and delete project networks.
These APIs are proxy calls to the Network service. These are all
deprecated.

os_compute_api:os-used-limits

Default:

rule:admin_api

Operations:

GET/limits

Show rate and absolute limits for the project.
This policy only checks if the user has access to the requested
project limits. And this check is performed only after the check
os_compute_api:limits passes

os_compute_api:os-virtual-interfaces

Default:

rule:admin_or_owner

Operations:

GET/servers/{server_id}/os-virtual-interfaces

List virtual interfaces.
This works only with the nova-network service, which is now deprecated

os_compute_api:os-volumes

Default:

rule:admin_or_owner

Operations:

GET/os-volumes

POST/os-volumes

GET/os-volumes/detail

GET/os-volumes/{volume_id}

DELETE/os-volumes/{volume_id}

GET/os-snapshots

POST/os-snapshots

GET/os-snapshots/detail

GET/os-snapshots/{snapshot_id}

DELETE/os-snapshots/{snapshot_id}

Manage volumes for use with the Compute API.
Lists, shows details, creates, and deletes volumes and
snapshots. These APIs are proxy calls to the Volume service.
These are all deprecated.